A neat trick! Package exploits were in use in 2009, and embedded in email attachment RTF files with an enticement to click: The embedded executable file was a downloader that brought in the malware. ---- rich
Like an embedded macro, the user will be prompted to allow the script activity. To "idiot proof," just follow MS's recommendation: Prevention and recovery recommendations Administrators can prevent activation of OLE packages by modifying the registry key HKCU\Software\Microsoft\Office\<Office Version>\<Office application>\Security\PackagerPrompt. The Office version values should be: 16.0 (Office 2016) 15.0 (Office 2013) 14.0 (Office 2010) 12.0 (Office 2007) Setting the value to 2 will cause the to disable packages, and they won’t be activated if a user tries to interact with or double-click them. The value options for the key are: 0 – No prompt from Office when user clicks, object executes 1 – Prompt from Office when user clicks, object executes 2 – No prompt, Object does not execute You can find details about this registry key the Microsoft Support article, https://support.microsoft.com/en-us/kb/926530